bitrat

General

Target

b9874cdde692f485a1c609aeafd075c3
Size

16.5MB
Sample

240307-yrwrlsdd41
MD5

b9874cdde692f485a1c609aeafd075c3
SHA1

8806ac9b20eaa78f89b5dfd1b78a3c7fb5cbffce
SHA256

66fdb47c24f569d7fae5707024809698812a40458216414827d3ea57cfb19dbb
SHA512

955e5e731e2d3fe9299fb90995fba95409d5b6086306960defbdc17f855175c63ccdb713f16b3e6ac3ee007f2317461d2e8693afefc56e7de494d879a3fd0aee
SSDEEP

98304:AQC5lSLCSHP8Z2HOR0mW1LCjqOMKmxE6G:LC5R0mh

Score

10^/10

bitrat hiverat quasar et rat spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

ET

C2

orcus.dyndns.org:1605

lsdw.dyndns.org:1606

labeokunta.dynnds.org:1606

xpert.dyndns.biz:1605

qz.dyndns.org:1605

imageline.dyndns.org:1606

kontakt-update.selfip.net:1606

Mutex

QSR_MUTEX_X8N0tEAk1p1Gbe9ioj

Attributes

encryption_key
jVpAHlJqCIQYSDZsOYMx
install_name
Client.exe
log_directory
db.xlm
reconnect_delay
30000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

bitrat

Version

1.38

C2

hiv.dyndns.org:2222

Attributes

communication_password
194dd40edef1873b88c241057bb55f1b
tor_process
tor

Targets

- Target
  
  b9874cdde692f485a1c609aeafd075c3
- Size
  
  16.5MB
- MD5
  
  b9874cdde692f485a1c609aeafd075c3
- SHA1
  
  8806ac9b20eaa78f89b5dfd1b78a3c7fb5cbffce
- SHA256
  
  66fdb47c24f569d7fae5707024809698812a40458216414827d3ea57cfb19dbb
- SHA512
  
  955e5e731e2d3fe9299fb90995fba95409d5b6086306960defbdc17f855175c63ccdb713f16b3e6ac3ee007f2317461d2e8693afefc56e7de494d879a3fd0aee
- SSDEEP
  
  98304:AQC5lSLCSHP8Z2HOR0mW1LCjqOMKmxE6G:LC5R0mh
Score

10^/10

bitrat hiverat quasar et rat spyware stealer trojan
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- HiveRAT
  HiveRAT is an improved version of FirebirdRAT with various capabilities.
  rat stealer hiverat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- HiveRAT payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

HiveRAT

Quasar RAT

Quasar payload

HiveRAT payload

Checks computer location settings

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2